Re-use of Authorization Codes is a strict violation of the spec as described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
I generally agree that a shorter lifetime is fine in most cases, but the lifetime of the authorization code is not what provides security, the single-use requirement does. On Wed, Sep 21, 2022 at 1:39 AM Joseph Heenan <jos...@authlete.com> wrote: > Hi all > > I couldn't find any text in the current BCP document about the lifetime of > authorization codes, do people think that this may be worth mentioning? > > The only guidance I could find on authorization code lifetimes is RFC > 6749, 4.1.2: > > "A maximum authorization code lifetime of 10 minutes is RECOMMENDED.” > > Feedback from some vendors (on the FAPI WG) seemed to be that they default > to shorter lifetimes these days. > > Shorter lifetimes seem like they can prevent various attacks, particularly > if the AS isn't enforcing single-use of authorization code. > > > (I raised this at > https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/50 too, > but forgot to email this list at the time) > > Thanks > > Joseph > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
